04.44.13 CVE: Not Available Platform: Unix Title: pppd Remote Denial of Service Description: pppd is vulnerable to a remote denial of service condition due to a failure of the application to properly handle invalid input. pppd version 2.4.1 is knwown to be vulnerable. Ref: http://www.securityfocus.com/advisories/7406 ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-09 16:24:21 ---- CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1002 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137880 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137881 This bug has been closed as "NOTABUG" by Red Hat Bugzilla. But, fixed in updates in rpm ppp-2.4.2-5.2.FC2. http://download.fedora.us/fedora/fedora/2/i386/SRPMS.updates/ppp-2.4.2-5.2.FC2.src.rpm ------- Additional Comments From bugzilla.fedora.us 2004-12-10 09:50:04 ---- the reason it was NOTABUG for fc1 is that it looks like you can only DOS yourself: === Date: Tue, 2 Nov 2004 10:12:30 +1100 From: Paul Mackerras <paulus> To: Luke Macken <lewk> Cc: gentoo-announce, bugtraq, full-disclosure.com, security-alerts Subject: Re: [ GLSA 200411-01 ] ppp: Remote denial of service vulnerability Luke Macken writes: > The pppd server improperly verifies header fields, making it vulnerable > to denial of service attacks. > > Impact > ====== > > An attacker can cause the pppd server to access memory that it isn't > allowed to, causing the server to crash. No code execution is possible > with this vulnerability, because no data is getting copied. Furthermore, only the connection to the attacker will be affected, since a separate pppd process handles each ppp connection. In other words, an attacker can terminate their own connection, but they can not affect any other connection, or prevent new connections from being established. Given that, I don't think that this is even a DoS vulnerability. Paul. === ------- Additional Comments From pekkas 2005-02-15 07:02:46 ---- Given the above and the fact that we already have a lot of pending updates on our plate, I'm closing this as WONTFIX. ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2262 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2262 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.